危险字符过滤的类[转]
2008-07-09 14:37
288 查看
1using System; 2using System.IO; 3using System.Text; 4using System.Text.RegularExpressions; 5using System.Runtime.Remoting; 6using System.Runtime.Remoting.Proxies; 7using System.Runtime.Remoting.Messaging; 8using System.Reflection; 9 10namespace FilterRealProxy 11{ 12 /**//**//**//// <summary> 13 /// FilterRealProxy类:一个真实代理, 拦截它所代理对象中方法的返回值,并对需要过滤的返回值进行过滤。 14 /// </summary> 15 public class FilterRealProxy:RealProxy 16 { 17 private MarshalByRefObject target; 18 public FilterRealProxy(MarshalByRefObject target):base(target.GetType()) 19 { 20 this.target=target; 21 } 22 public override IMessage Invoke(IMessage msg) 23 { 24 IMethodCallMessage callMsg=msg as IMethodCallMessage; 25 IMethodReturnMessage returnMsg = RemotingServices.ExecuteMessage(target,callMsg); 26 //检查返回值是否为String,如果不是String,就没必要进行过滤 27 if(this.IsMatchType(returnMsg.ReturnValue)) 28 { 29 string returnValue=this.Filter(returnMsg.ReturnValue.ToString(),returnMsg.MethodName); 30 return new ReturnMessage(returnValue,null,0,null,callMsg); 31 } 32 return returnMsg; 33 } 34 protected string Filter(string ReturnValue,string MethodName) 35 { 36 MethodInfo methodInfo=target.GetType().GetMethod(MethodName); 37 object[] attributes=methodInfo.GetCustomAttributes(typeof(StringFilter),true); 38 foreach (object attrib in attributes) 39 { 40 return FilterHandler.Process(((StringFilter)attrib).FilterType,ReturnValue); 41 } 42 return ReturnValue; 43 } 44 protected bool IsMatchType(object obj) 45 { 46 return obj is System.String; 47 } 48 } 49 50 /**//**//**////<summary> 51 /// StringFilter类:自定义属性类, 定义目标元素的过滤类型 52 ///</summary> 53 public class StringFilter:Attribute 54 { 55 protected FilterType _filterType; 56 57 public StringFilter(FilterType filterType) 58 { 59 this._filterType=filterType; 60 } 61 public FilterType FilterType 62 { 63 get 64 { 65 return _filterType; 66 } 67 } 68 } 69 70 /**//**//**//// <summary> 71 /// 枚举类:用于指定过滤类型,例如:对script过滤还是对html进行过滤? 72 /// </summary> 73 [Flags()] 74 public enum FilterType 75 { 76 Script = 1, 77 Html =2, 78 Object=3, 79 AHrefScript=4, 80 Iframe=5, 81 Frameset=6, 82 Src=7, 83 BadWords=8, 84 //Include=9, 85 All=16 86 } 87 88 /**//**//**////<summary> 89 /// 过滤处理类:根据过滤类型,调用相应的过滤处理方法。 90 ///</summary> 91 92 public class FilterHandler 93 { 94 private FilterHandler() 95 { 96 } 97 public static string Process(FilterType filterType,string filterContent) 98 { 99 switch(filterType) 100 { 101 case FilterType.Script: 102 filterContent=FilterScript(filterContent); 103 break; 104 case FilterType.Html: 105 filterContent=FilterHtml(filterContent); 106 break; 107 case FilterType.Object: 108 filterContent=FilterObject(filterContent); 109 break; 110 case FilterType.AHrefScript: 111 filterContent=FilterAHrefScript(filterContent); 112 break; 113 case FilterType.Iframe: 114 filterContent=FilterIframe(filterContent); 115 break; 116 case FilterType.Frameset: 117 filterContent=FilterFrameset(filterContent); 118 break; 119 case FilterType.Src: 120 filterContent=FilterSrc(filterContent); 121 break; 122 //case FilterType.Include: 123 // filterContent=FilterInclude(filterContent); 124 // break; 125 case FilterType.BadWords: 126 filterContent=FilterBadWords(filterContent); 127 break; 128 case FilterType.All: 129 filterContent=FilterAll(filterContent); 130 break; 131 default: 132 //do nothing 133 break; 134 } 135 return filterContent; 136 } 137 138 public static string FilterScript(string content) 139 { 140 string commentPattern = @"(?'comment'<!--.*?--[ /n/r]*>)" ; 141 string embeddedScriptComments = @"(///*.*?/*//|////.*?[/n/r])" ; 142 string scriptPattern = String.Format(@"(?'script'<[ /n/r]*script[^>]*>(.*?{0}?)*<[ /n/r]*/script[^>]*>)", embeddedScriptComments ) ; 143 // 包含注释和Script语句 144 string pattern = String.Format(@"(?s)({0}|{1})", commentPattern, scriptPattern) ; 145 146 return StripScriptAttributesFromTags(Regex.Replace(content,pattern,string.Empty,RegexOptions.IgnoreCase)); 147 } 148 149 private static string StripScriptAttributesFromTags( string content ) 150 { 151 string eventAttribs = @"on(blur|c(hange|lick)|dblclick|focus|keypress|(key|mouse)(down|up)|(un)?load 152 |mouse(move|o(ut|ver))|reset|s(elect|ubmit))" ; 153 154 string pattern = String.Format(@"(?inx) 155 /<(/w+)/s+ 156 ( 157 (?'attribute' 158 (?'attributeName'{0})/s*=/s* 159 (?'delim'['""]?) 160 (?'attributeValue'[^'"">]+) 161 (/3) 162 ) 163 | 164 (?'attribute' 165 (?'attributeName'href)/s*=/s* 166 (?'delim'['""]?) 167 (?'attributeValue'javascript[^'"">]+) 168 (/3) 169 ) 170 | 171 [^>] 172 )* 173 />", eventAttribs ) ; 174 Regex re = new Regex( pattern ) ; 175 // 使用MatchEvaluator的委托 176 return re.Replace( content, new MatchEvaluator( StripAttributesHandler ) ) ; 177 } 178 179 private static string StripAttributesHandler( Match m ) 180 { 181 if( m.Groups["attribute"].Success ) 182 { 183 return m.Value.Replace( m.Groups["attribute"].Value, "") ; 184 } 185 else 186 { 187 return m.Value ; 188 } 189 } 190 191 public static string FilterAHrefScript(string content) 192 { 193 string newstr=FilterScript(content); 194 string regexstr=@" href[ ^=]*= *[/s/S]*script *:"; 195 return Regex.Replace(newstr,regexstr,string.Empty,RegexOptions.IgnoreCase); 196 } 197 198 public static string FilterSrc(string content) 199 { 200 string newstr=FilterScript(content); 201 string regexstr=@" src *= *['""]?[^/.]+/.(js|vbs|asp|aspx|php|jsp)['""]"; 202 return Regex.Replace(newstr,regexstr,@"",RegexOptions.IgnoreCase); 203 } 204/**//**//**//* 205 public static string FilterInclude(string content) 206 { 207 string newstr=FilterScript(content); 208 string regexstr=@"<[/s/S]*include *(file|virtual) *= *[/s/S]*/.(js|vbs|asp|aspx|php|jsp)[^>]*>"; 209 return Regex.Replace(newstr,regexstr,string.Empty,RegexOptions.IgnoreCase); 210 } 211*/ 212 public static string FilterHtml(string content) 213 { 214 string newstr=FilterScript(content); 215 string regexstr=@"<[^>]*>"; 216 return Regex.Replace(newstr,regexstr,string.Empty,RegexOptions.IgnoreCase); 217 } 218 219 public static string FilterObject(string content) 220 { 221 string regexstr=@"(?i)<Object([^>])*>(/w|/W)*</Object([^>])*>"; 222 return Regex.Replace(content,regexstr,string.Empty,RegexOptions.IgnoreCase); 223 } 224 225 public static string FilterIframe(string content) 226 { 227 string regexstr=@"(?i)<Iframe([^>])*>(/w|/W)*</Iframe([^>])*>"; 228 return Regex.Replace(content,regexstr,string.Empty,RegexOptions.IgnoreCase); 229 } 230 231 public static string FilterFrameset(string content) 232 { 233 string regexstr=@"(?i)<Frameset([^>])*>(/w|/W)*</Frameset([^>])*>"; 234 return Regex.Replace(content,regexstr,string.Empty,RegexOptions.IgnoreCase); 235 } 236 237 //移除非法或不友好字符 238 private static string FilterBadWords(string chkStr) 239 { 240 //这里的非法和不友好字符由你任意加,用“|”分隔,支持正则表达式,由于本Blog禁止贴非法和不友好字符,所以这里无法加上。 241string BadWords=@""; 242 if (chkStr == "") 243 { 244 return ""; 245 } 246 247 string[] bwords = BadWords.Split('#'); 248 int i,j; 249 string str; 250 StringBuilder sb = new StringBuilder(); 251 for(i = 0; i< bwords.Length; i++) 252 { 253 str=bwords[i].ToString().Trim(); 254 string regStr,toStr; 255 regStr=str; 256 Regex r=new Regex(regStr,RegexOptions.IgnoreCase | RegexOptions.Singleline| RegexOptions.Multiline); 257 Match m=r.Match(chkStr); 258 if(m.Success) 259 { 260 j=m.Value.Length; 261 sb.Insert(0,"*",j); 262 toStr=sb.ToString(); 263 chkStr=Regex.Replace(chkStr,regStr,toStr,RegexOptions.IgnoreCase | RegexOptions.Singleline| RegexOptions.Multiline); 264 } 265 sb.Remove(0,sb.Length); 266 } 267 return chkStr; 268 } 269 270 public static string FilterAll(string content) 271 { 272 content = FilterHtml(content); 273 content = FilterScript(content); 274 content = FilterAHrefScript(content); 275 content = FilterObject(content); 276 content = FilterIframe(content); 277 content = FilterFrameset(content); 278 content = FilterSrc(content); 279 content = FilterBadWords(content); 280 //content = FilterInclude(content); 281 return content; 282 } 283 } 284} 285
相关文章推荐
- 超强过滤sql语句中的危险字符
- 危险字符过滤的类(最新完善版)(1)
- 过滤危险字符的类(asp.net2.0)
- C# 正则表达式 过滤危险字符函数代码 防SQL注入 很全面的SQL关键字过滤
- 危险字符过滤的类(完美版)[2](测试文件,尚待完善)
- 过滤危险字符
- 危险字符过滤的类
- 危险字符过滤的类[转]
- 危险字符过滤的类
- 10-过滤输入字符串中的危险字符(字符串处理)
- 危险字符过滤的类
- 危险字符过滤的类
- 危险字符过滤的类
- 危险字符过滤的类(转)
- 危险字符过滤的类
- 从JavaWeb危险字符过滤浅谈ESAPI使用
- 危险字符过滤的类(最新完善版)(1)
- 两个常用的危险字符过滤函数
- C#对于字符串的处理类(剪裁、过滤危险字符、替换sql中有问题符号等)
- C#对于字符串的处理类(剪裁、过滤危险字符、替换sql中有问题符号等)